v1who global information security policy november 2005-1

information technology & telecommunications department

general management

WHO Global

Information Security

Policy and guidelines November 2005

November 2005

Policy and procedures

i

Table of Contents I. Overview ..................................................................................................................... 1

I.1 Scope ........................................................................................................1

I.2 Policy Framework ....................................................................................1

II. Information Security Policy................................................................................... 3

II.1 Awareness ................................................................................................3

II.2 Responsibility...........................................................................................3

II.3 Response ..................................................................................................3

II.4 Ethics ........................................................................................................3

II.5 Risk assessments ....................................................................................3

II.6 Information security design and implementation..................................4

II.7 Information security management..........................................................4

II.8 Reassessment ..........................................................................................4

III. Implementing Guidelines....................................................................................... 5

III.1 Awareness ................................................................................................5

III.2 Responsibility...........................................................................................5

III.3 Response ..................................................................................................8

III.4 Ethics ........................................................................................................8

III.5 Risk assessments ....................................................................................8

III.6 Information security design and implementation..................................9

III.7 Information security management..........................................................9

III.8 Reassessment ........................................................................................11

Acknowledgements.......................................................................................12

Annex A: Sample Technical and End-User Policy Domains......................13

November 2005


1

I. Overview 1. The security (confidentiality, integrity and availability) of information, and associated systems and

networks, is a critical business requirement of WHO. In order to meet this requirement, I, the Director-General, endorse this information security policy as the highest level statement on information security. All owners, custodians and users of information, and associated systems and networks, throughout the organization, should read and abide by this policy.

"The aim of the WHO Global Information Security Policy is to provide senior management with an effective capacity to protect the World Health Organization's worldwide information assets".

2. Availability and integrity of information is a vital component of the WHO's business operations. The WHO's mission, "the attainment by all peoples of the highest possible level of health", is dependant on the ability to source and manage information and disseminate it when and where required. While WHO as a public health organization has a mandate to share the knowledge, some information held by the organization is internal and sensitive and cannot be shared.

3. The WHO Global Information Security Policy and Implementing Guidelines provides a

framework to manage the risk of compromise and support business continuity of WHO's critical information assets and resources. The guidelines formalize the organization’s information security capability and forms part of the WHO's corporate governance for managing ongoing risk to WHO's critical assets and reputation.

4. The WHO Global Information Security Policy and Implementing Guidelines are developed in

accordance with international standards and best practices. I.1 Scope 5. WHO Global Information Security Policy and Implementing Guidelines cover all WHO

information and communication assets. This includes online and offline IT systems, networks, databases, communications systems (such as phones and mobile devices), conferencing systems, managed or hosted services, applications, and documents.

6. All WHO staff and consultants have the responsibility to respect and comply with the WHO

Global Information Security Policy and associated implementing guidelines, technical and end-user policies.

I.2 Policy Framework 7. The WHO Global Information Security Policy provides a framework for protecting WHO's

global information assets and services. "Protection" is defined as acceptable management of risks to reputation, availability, confidentiality, integrity and accountability.

8. The information security policy framework used within WHO is described in Figure 1 below.

The top-down approach is defined by a policy statement (“WHO Global Information Security Policy”) and WHO Global Information Security Implementing Guidelines. The Implementing Guidelines expands on the information security policy by defining the lifecycle for information security at WHO encompassing information security policy development, assessment, review and education, and the WHO Information Security Management System

November 2005

WHO Global Information Security

2

(ISMS). Technical and end-user policies are issued to address more specific areas of risk to WHO assets.

Policy Framework

Global

Information Security Policy

Global Information Security

Implementing Guidelines

and ISMS (*)

Information Security

Technical Policy

Technical Policies

InformationSecurity

User Policy

End User Policies

Figure 1 - WHO Information Security Policy Framework

Examples: Network and Communications Security Enterprise Applications Security Data Access Security

Examples: Acceptable Use Policy; Email Policy; Password Policy

Industry standards and practices

(*) ISMS: Information Security Management System (ref. ISO27001 and ISO17799)

November 2005


3

II. Information Security Policy II.1 Awareness 9. All WHO staff, contractors, consultants and business units must be aware of the need

for information security and what they can do to enhance security. 10. Staff and external organizations accessing WHO information systems must be familiar with

the WHO Information Security Policy and its requirements.

II.2 Responsibility 11. All WHO staff and business units are explicitly responsible for information security.

12. WHO staff and business units depend upon interconnected local and global information

systems and networks and should understand their responsibility for the security of those information systems and networks. The WHO Chief Information Security Officer (CISO) is charged with responsibility for information security. He/She has the mandate and authority to assist WHO staff and business units to address their responsibility and comply with this information security policy and associated information security policies, standards and guidelines.

II.3 Response 13. All WHO staff and business units must act in a timely and co-operative manner to

prevent, detect and respond to security incidents. 14. A solid information security monitoring and incident response capacity is important and will

be implemented throughout the organization, in addition to effective prevention measures, since no information security protection or prophylactic schemes are perfect. It is the duty of all WHO staff, consultants, contractors and business units to report any violation of the WHO Information Security Policy to the CISO.

II.4 Ethics 15. All WHO staff and business units must respect the legitimate interests of others and

the organization. 16. Ethical and acceptable use of information, and associated systems and networks, must be

respected and strictly maintained by all WHO staff and business units. II.5 Risk assessments 17. All WHO staff and business units should support the conduct of risk assessments. 18. Risk assessment allows determination of the acceptable level of risk and assists the selection of

appropriate controls to manage the risk of potential harm to information systems and networks in the light of the nature and importance of the information to be protected. The CISO is charged with the mandate and authority to implement a security program, which ensures that periodical and timely information security assessment of critical WHO information systems and networks are conducted throughout the organization.

November 2005


4

II.6 Information security design and implementation 19. All WHO staff and business units must incorporate information security as an

essential element of information systems and network design and implementation. 20. The CISO must be involved at the earliest stages of WHO information systems and networks

development. Security design and architecture must be incorporated into all phases of information systems and networks life cycle, i.e. architectural design, system design, implementation, testing, maintenance and replacement.

II.7 Information security management 21. All WHO staff and business units should adopt a comprehensive approach to security

management. 22. The information security management process consists of the cycle of PLAN (policy, assess,

chose security controls), DO (operate controls), CHECK (check effectiveness), and ACT (correct and improve). WHO Information Security Policy defines the formal information security management process to be applied in maintaining and enhancing security of all critical information systems and networks throughout WHO.

II.8 Reassessment 23. All WHO staff and business units must support the review and reassessment of

information systems and networks, and make appropriate modification to security policies, practices and procedures as determined by the CISO.

24. New and changing threats and vulnerabilities are continuously discovered. All owners,

custodians and users of information, and associated systems and networks at WHO, must accept the CISO's ongoing review, reassessment and recommendations on all aspects of security to deal with evolving risks.

November 2005


5

III. Implementing Guidelines III.1 Awareness

All WHO staff, contractors, consultants and business units must be aware of the need for information security and what they can do to enhance security.

25. The information security awareness and training program will be maintained and conducted

jointly by the Chief Information Security Officer ("CISO"), offices and departments responsible for Information Technology and those responsible for staff training. The program will include a local awareness component delivered in conjunction with Designated Information Security Officers (described in paragraphs 37-40).

26. The program covers:

a) Staff briefing on information security at WHO; b) Communication of early-warning, advisory and general information; c) Awareness campaign such as posters, mail drop, and classifieds; d) InfoSec Home Page Web site; e) InfoSec Forum and Workshops; f) End-user policy guide and Q & A distributed to new staff and external consultants

or vendors; g) Any other expert presentations or material that is deemed necessary by information

security staff, training group or management.

27. Key awareness areas to be covered include: a) Program existence and mandate; b) The requirement to consult CISO for all new or revised projects; c) Budgeting and requirement for security assessments; d) Promotion of new monitoring initiatives; e) Promotion of information security policy, standards and end user policies;

III.2 Responsibility

All WHO staff and business units are explicitly responsible for information security.

Staff, Consultants, Contractors and Service Providers 28. As part of "WHO Condition of Employment"(and consultant or supplier terms of contract),

staff members will be required to agree in writing to compliance with the WHO Information Security Policy (and end user policies). Written copies of end user policies will be provided at the time of commencement of employment or work for WHO and will be posted on the Organization’s Intranet.

29. Individuals are responsible and accountable for complying with this policy for information

under their control. The ultimate responsibility for information security rests with the owners of the information.

30. It is the responsibility of project managers and their staff to ensure that any vendors or service

providers working with WHO agree to the WHO Information Security Policy.

November 2005 6


31. Failure to comply with WHO information security policies will result in disciplinary action being taken against an individual or entity contracted by the organization. This action may include requiring ongoing compliance measures, removal of access, or for serious offences, termination of employment or contract or other legal measures.

Chief Information Security Officer (Global Function) 32. The Chief Information Security Officer ("CISO") assesses risks globally to WHO assets, and

ensures senior management is aware of their current risk profile. Through a combination of policy and technical strategies, the CISO is able to reduce and monitor risks defined by management as unacceptable. This ongoing process is designed to assure protection of critical WHO assets and provide management with a clear understanding of their risk position.

33. The global CISO function must be funded to achieve its objectives. Funding is required for

security hardware, software, personnel and service costs directly related to global strategies and services for protecting WHO's information, IT systems, reputation and also regulatory compliance.

34. The CISO is responsible for:

a) Development of global policies in conjunction with management and G-WG-infoSec;

b) In-depth information security assessment and review; c) Continuous monitoring, surveillance and compliance; d) Adoption of global protection strategies; e) Awareness and training program (described in paragraphs 9-10); f) Supporting business units, departments and major offices to develop local policy

through the provision of a global information security policy framework. 35. The CISO provides proactive global leadership and advocacy of information security issues

within WHO. 36. The CISO is an independent global entity with a reporting channel to IT Governance, to

ensure collective compliance with WHO Global Information Security Policy. Designated Information Security Officers (DISO, Major Office Function) 37. Each major office (including HQ, Regions and IARC) will have a designated information

security officer. Each Designated Information Security Officer will assist the CISO to implement the Global Information Security Policy, perform assessment and compliance functions within their Office, and develop office specific information security policies and controls.

38. The designated information security officer may be a specialized information security

professional, or a member of staff with responsibility for major office information security controls such as policies, information security self-assessment, firewalls, virus protection, and application security. He/She has the responsibility to report to the CISO on the compliance of each major office and respective country office with the WHO Global Information Security Policy. He/She will also oversee the implemented information security controls to ensure information security and integrity is maintained (such as patches) to agreed levels. Designated Information Security Officers will receive advisories from CISO and also receive updates from specialized monitoring systems to assist them in their information security function.

November 2005 7

policy and procedures

39. The DISO function must be funded to achieve its objectives. Funding is required for security hardware, software, personnel and service costs directly related to major office global policy compliance and operational services for protecting WHO's regional information, IT systems, reputation and also local regulatory compliance.

40. Each Designated Information Security Officer is responsible for:

a) Development of local policies and procedures within the framework of the WHO Global Information Security Policy;

b) Managing vulnerabilities; c) Raising local staff awareness by developing local awareness program (described in

paragraphs 9-10); d) Maintaining local control systems, e.g. anti-malware (virus/worm, SPAM,

spyware, phishing); e) Security threats to Internet based databases, web sites, e-mail servers, etc. f) Report annual self assessment of major office compliance with WHO Global

Information Security Policy. CISO will perform tri-annual formal assessment of compliance.

Global Working Group on Information Security 41. The Global Working Group on Information Security (“G-WG-InfoSec”) consists of the

CISO, DISOs and other nominated information security specialists from all of the WHO major offices, with management and technical responsibility for information security. The G-WG-InfoSec facilitates information security collaboration and agreement between the CISO and all of the WHO major offices, fosters information security awareness and leadership at all levels of the organization, and provides a review and consensus mechanism for new information security policy and standards development.

Global Information Security Governance 42. The Global Information Security Governance group provides executive oversight and

direction to the global information security function within the organization. 43. Membership includes the CISO, ICT leadership from HQ, Regions, IARC, GSM and also

ADG/GMG. 44. The Global Information Security Governance group will meet annually during the ICT Global

Management Team meeting. The agenda will include:

a) Annual report by the CISO on the performance and outcomes of the implementation of the WHO Global Information Security Policy.

b) Discussion of upcoming work plan c) Providing guidance on the resources required to meet program objectives

Management Responsibility 45. Executive Management bears the responsibility for ensuring strong support for the WHO

Global Information Security Policy and Implementing Guidelines, and the CISO function, including providing adequate resources to maintain the information security controls needed to manage risks to organizational information.

November 2005 8


46. WHO staff and business units depend upon interconnected local and global information systems and networks and should understand their responsibility for the security of those information systems and networks. The WHO Chief Information Security Officer (CISO) is charged with responsibility for information security. He/She has the mandate and authority to assist WHO staff and business units to address their responsibility and comply with this information security policy and associated information security policies, standards and guidelines.

III.3 Response

All WHO staff and business units must act in a timely and co-operative manner to prevent, detect and respond to information security incidents.

47. The CISO provides a general incident response strategy for WHO, and for incidents of a

critical nature, CISO can leverage incident response advisory and forensic services provided by external experts.

The CISO must be contacted for any known or perceived breach of information security at WHO globally.

48. The DISO will monitor critical assets, including automated monitoring, to continually assess

compliance with WHO Global Information Security Policy and risk levels to WHO and will escalate breaches of the information security policy to the CISO using procedures and thresholds agreed to through the G-WG-InfoSec. This is to ensure protection strategies are effective, and to enable accurate reporting to management of the current corporate risk profile.

49. Prevention may also be included with the monitoring function, to prohibit non-compliant

systems from affecting WHO assets. III.4 Ethics

All WHO staff and business units must respect the legitimate interests of others and the organization.

50. CISO will provide policy and promote awareness on the ethical use of WHO information

assets. 51. All staff have a responsibility to act morally and ethically when accessing and using WHO

information assets. This includes maintaining confidentiality and privacy of information where required, and ensuing compliance with regulatory and legal obligations.

III.5 Risk assessments

All WHO staff and business units should support the conduct of risk assessments. 52. The CISO will perform risk assessments to determine key WHO assets and the level of risk to

those assets. This assessment forms a critical part of the WHO Global Information Security Policy and the CISO’s mandate to assure protection of key WHO assets. Risk assessments also enable the CISO to measure the effectiveness of information security policy and technical strategies and whether additional measures are required.

53. A protection plan will be jointly developed with and presented to asset owners after

November 2005 9


completion of a risk assessment. Owners will take all reasonable steps to implement this protection plan.

54. The CISO, in consultation with G-WG-InfoSec and the business owners of critical

information assets, will determine the schedule for information assets to undergo risk assessment.

55. Risk assessment outcomes and subsequent protection plans will be developed according to the

WHO’s risk position. The risk position will be determined by management for particular assets under their control, and by Senior Management for the overall WHO risk position.

III.6 Information security design and implementation

All WHO staff and business units must incorporate information security as an essential element of information systems and network design and implementation.

56. Projects, departments, vendors or managed service providers that are planning, developing or

deploying new or revised information assets for WHO must be aware of information security policies, standards and procedures that affect their asset(s).

57. Consultation with the CISO is mandatory during the asset design phase to ensure

information security is appropriately considered and budgeted for. Any subsequent architectural or implementation decisions made by developers or management must be documented and auditable.

58. All new WHO applications (web or otherwise) and ICT services will be covered by the WHO

Global Information Security Policy and associated policies and standards. Technical staff and application developers must ensure they are familiar with WHO information security policy, standards and procedures affecting the assets under their control. A timetable for application of the WHO Information Security Policy to pre-existing applications will be determined by the CISO in consultation with the G-WG-InfoSec.

III.7 Information security management

All WHO staff and business units should adopt a comprehensive approach to information security management.

59. Central to the WHO’s Information Security Management System (ISMS) is the requirement

for business units to prove or certify their key information assets are compliant with organization’s information security policy. This ensures the CISO is consulted during asset design or review phases.

60. The CISO’s work is defined by a information security management lifecycle that incorporates

strong quality assurance measures and performance metrics, to ensure results remain accurate. This lifecycle process is defined in international standards, and amended for adoption within the WHO. The process explains how information security management is implemented at WHO. The PLAN, DO, CHECK, ACT model (shown below) ensures completeness in the approach to information security within WHO, and also ensures a quality process that is continually being refined.

November 2005 10


DO • Implement preventive plans • Operate security controls • Promptly detect and respond

to incidents • Ensure staff are security

aware, trained and competent• Manage necessary resources

CHECK • Ensure security controls are

in place and are achieving objectives

• Review residual risk levels • Review security processes • Determine metrics • Check monitoring and

response capacity • Leaning from others • Internal ISMS audit • Management review

ACT • Corrective action • Preventive action • Improvements

e.g. o Improve security processes o Refine risk mitigation plans o Develop and refine policy o New security controls

PLAN • Determine the scope of ISMS • Develop ISMS policy • Conduct risk assessment • Develop risk treatment plan • Select security objectives and

controls • Justify selection of controls

against risk assessment (statement of applicability)

Information Security Controls

Information Security Management System

(ISMS) cycle* (ref.ISO/IEC27001:2005)

(*): Domains of Information Security Controls and Best Practices, as defined by ISO/IEC 17799:2005:

• Information cecurity policy; • Organization of information security; • Asset management; • Human resources for information security; • Physical and environmental security; • Communications and operations management; • Access control; • Information systems acquisition, development and maintenance; • Information security incident management; • Business continuity management; • Compliance

Specific control measures include but are not limited to:

• Governance, Technical and End-User Policies; Standards and Reference Architecture; • Auditing and Compliance Assessment; Certification; • Vulnerability Management; Anti-Malware (Virus, Worms, Trojan horses, SPAMS, spyware) Systems; • Access-control Enforcement (firewalls/IPS, authentication, authorization, accounting systems, etc.); • Monitoring, Surveillance and Response; Incident Response Teams; • Awareness and Training Programs

November 2005 11


III.8 Reassessment All WHO staff and business units must support the review and reassessment of information systems and networks, and make appropriate modification to information security policies,

practices and procedures as determined by the CISO.

61. The CISO will perform regular reassessment and compliance assessments of WHO information assets to ensure the Organization's risk profile is accurate and risk is minimized.

62. WHO Information Security Management System will be continuously reviewed to provide quality assurance and alignment with industry best practices and current threat profiles. The CISO will commit to ongoing training to ensure the implementation of the WHO Global Information Security Policy keeps pace with emerging threats and technologies.

63. WHO information security policies and procedures will be reassessed and updated progressively to ensure they keep pace with changing security requirements and new information security threats.

November 2005 12


Acknowledgements

1. ISO/IEC27001, Information Technology - Information Security Management System – Requirements (October 2005).

2. ISO/IEC17799, Information Technology — Code of Practice for Information Security

Management (June 2005) 3. ACSI33, Australian Government Information and Communications Technology Security

Manual, Draft Version (January 2005) 4. Canavan, S., An Information Security Policy Development Guide for Large Companies,

SANS Institute (November 2004). 5. Guel, Michele, A Short Primer for Developing Security Policies, SANS Institute (2001) 6. Weise, J and Martin, C. Data Security Policy - Structure and Guidelines, SUN Microsystems

Inc. (December 2001). 7. Jarmon, D. A Preparation Guide to Information Security Policies, SANS Institute (2002). 8. Creating, Implementing and Managing the Information Security Lifecycle, Internet Security

Systems (ISS) (2000). 9. E-security begins with Sounds Security Policies, Symantec Corporation (2001). 10. OECD Guidelines for the Security of Information Systems and Networks – Towards a

Culture of Security, (OECD) (2002). 11. RFC2196, Site Security Handbook, Network Working Group IETF (September 1997). 12. Computer Security Resource Centre, National Institute of Standards and Technology, US

Federal Government

November 2005 13


Annex A: Sample Technical and End-User Policy Domains Network and Communication Systems Security

� High Security LAN Architecture (DMZ) � Firewall � Intrusion Detection and Prevention System

(IDS/IPS) � Global IP addressing � Domain Name System � Electronic Messaging � Mailing List � Instant Messaging � Anti-Malware (virus, worm, Trojan horses,

spyware) � Wireless Network � Internet Cafe � Virtual Private Network (VPN) and Remote

Access � File Transfer and Sharing � Operating systems � Printing

� Telephone PBX � Mobile Phones � Video Conference � IP Telephony � FAX � Multimedia

� Network Management � Traffic Monitoring � Bandwidth Management � Password Management � Patch Management � Configuration Management � Asset Management � Log Management

� Configuration Backup and Restoration � Systems Disaster Recovery and Contingency

Planning � Insurance (Systems damage or Services

interruption)

Enterprise Applications Security � Web Applications � ERP (GSM) � Intranet � Extranet � Internet (www.who.int) � Collaboration and Knowledge Sharing Tools � Telecommuting and Home Computing

� Data Backup and Restoration � Data Disaster Recovery and Contingency

Planning � Insurance (Data loss)

Data Access Security � Data Classification � Identity Management � Authentication � Authorization and Access Control � Encryption � Digital signatures � Certificate Management � Key Management

Physical Security

� Building Access � Controlled Area Access � Equipment Protection � Housekeeping � Water Protection � Fire Protection � Air Conditioning and Electronic Power � Insurance (Site destruction or Equipment

damage)

End-User Policy Booklet

� Security Awareness; � Acceptable Use � Password strength, sharing and changing � Email Security � Remote Access and use of home systems � Locking and logging out of systems � Acceptance of systems being audited and

monitored � Data classification standards � Transmission and storage of WHO

information � Strong Authentication for the ERP

v1who global information security policy november 2005-1

Documents